Posted
by
timothyon Sunday August 07, 2011 @11:35AM
from the that-is-one-tall-order dept.

linkedlinked writes "I'm tired of building my sandcastles on Google's beachfront. I've moved off Docs, Plus, and Analytics, so now it's time to host my own email servers. What are the best self-host open-source email solutions available? I'm looking for 'the full stack' — including a Gmail-competitive web GUI — and don't mind getting my hands dirty to set it up. I leverage most of Gmail's features, including multi-domain support, and fetching from remote POP/IMAP servers. Bonus points: Since I'm a hobbyist, not a sysadmin, and I normally outsource my mail servers, what new security considerations do I need to make in managing these services?"

I think the whole exercise is short sighted. I've been there, done that. The amount of effort to keep everything running, updated, configured, etc is a PITA. Setting up a solid spam filter is a huge undertaking because it's a multi layered approach. SA or equiv, various milters, and more and you still won't come close to GMail. When I finally gave in and decided to switch to Google Apps I was floored by the improvement in Spam filtering.
Are there quirks with Google' stuff. Sure. But they are improving it. I finally today got most of my stuff tied to my personal count migrated to my Apps account. The family enjoy using their apps accounts too compared to what we used to have. We've used IMP, Squirrel Mail, ROundcube, and others. Roundcube is the best in that group interface wise, but is still very buggy. Was Horde fun to play with way back before Google's services existed? Yup - because they were something not easily done elsewhere. But now?
So good luck - it certainly can be done, but to be done right requires a lot of effort that's only worth it if you have nothign better to do or are a internet services admin at work and like to tinker at home. And even then... I can spend all that time spent screwing with my internet 'stack' and apply it to better things now that Google just handles the day to day stuff. Am I concerned about them 'owning' me - maybe a little. But so far, they've not done evil to me. Plus even if I wanted to migrate all my stuff back to a personal server again, Google Voice is the deal breaker for me. Can't live without it.

The C.R.M. 114 was a radio transmission discriminator in the movie Dr. Strangelove. The spam filter was named as a reference to that movie. The discriminator would only allow radio transmission prefixed by a three character code phrase dialed into the unit. It was intended to prevent unauthorized messages from being received by nuclear bombers on their terminal attack. In the movie, the passcode used was 'POE', standing for Purity Of Essence, a phrase repeated by a base commander who drank only rainwater and grain alcohol, afraid the Russians were attacking by poisoning the drinking water and contaminating our natural bodily fluids.

2 spam/day? I consider something very very broken with gmail if two spam messages per month hit my inbox - across all of my Google accounts.

Don't get me wrong - props for building something useful, and even more props for open sourcing it. But objectively, the collective knowledge of Google's engineers combined with the sheer volume of email they can analyze is going to produce a far more accurate tool than any single person could ever hope to produce. I also despise email interfaces that aren't gmail, alth

While yeah, Google does all the grunt-work on the back-end, you still have all the hazards that any SaaS has... and it's not like GMail hasn't had its share of embarrassing security bombs or occasional outages (however brief they may have been) due to either the back-end, or the ISP you use to connect to it.

While yeah, Google does all the grunt-work on the back-end, you still have all the hazards that any SaaS has... and it's not like GMail hasn't had its share of embarrassing security bombs or occasional outages (however brief they may have been) due to either the back-end, or the ISP you use to connect to it.

True - but you can download and remove from the server your mail so at least you can limit the damage while still having the benefits of letting GMail do the grunt work; unless of course Google caches all your mail somewhere else as well.

I've been a sysadmin for about 15 years now. I used to host all my own e-mail, my own website, all that stuff. I had a webmail interface (Squirrelmail), spam filtering, IMAP, blah, blah blah. Then about 6 years ago I got deployed to Iraq. I couldn't use SSH from the DoD network, so updates became a big issue, spam became an issue as I couldn't maintain my filters easily. After a couple of months I went hosted on my domain. Web based admin tools meant I could maintain stuff without SSH, they had a much less "hands on" backup procedure (at the time mine involved CDs), the service was down less often than my DSL used to be... Honestly at this point I can't see the value in maintaining all this stuff for myself. I pay less for hosting than I would have to pay for a "business class" DSL or cable line for the static IP, they handle most of the hard work, and what they don't handle, I manage from a web based dashboard.

There are tradeoffs and disadvantages, but for 80-90% of personal uses cases I can't see why you'd want to personally maintain a server these days. If you simply enjoy doing it, that's one thing. If you have a business of any size, again, there's a good argument for self hosting. For most people though, just pay someone to take care of the grunt work for you. You'll have less downtime, and spend a lot less of your free time fiddling with it.

Very possibly the most insightful post for this article, and I'm without mod points this week. If you value your time at all, and don't want to make your server one of your personal hobbies, it's always better to pay for email service - even it it means just getting a domain and buying an apps account (if you are scared of free).

How many teams of for-profit hackers will be targeting your personal server?

Thousands. Have you ever run a server and looked at access logs? There are thousands of bots running automated attempts to exploit any vulnerability they can find. There are no automated vuln bots that will ever make it into Google's servers. And skilled for-profit hackers don't even bother trying... there are better, smaller, more vulnerable fish that can be fried in much less time.

Almost all security* is based on someone not knowing something. Very very often, that something is either a password or very large random number. Or the physical pattern on a key. Or door/alarm code. Or something read via RFID. Or the algorithm that determines the number on my RSA fob. More commonly when making that claim, it's just a nonstandard port for a service, hidden URL, or combination of several.

If an attacker has the exact same set of information that I have, then that attacker has access to the same systems I do. The amount of information they need (or the level of obscurity, if you will) determines the level of security. Something where you need to be on my VPN to get access to a whitelisted IP and then SSH in to the system where password-only auth is disabled is going to be a hell of a lot harder than something where you just need to know to hit port 8080 instead. But ultimately, my passwords and private keys are just very obscure information.

And in terms of end results, not being a target absolutely makes me more secure than an equivalent system that is a target.

* As far as authentication and encryption is concerned, at least. SQL injection and XSS protection being the two best examples where it comes down to actual implementation details.

"Secret" is not the same thing as "obscure". Your password is not "obscure", it's a secret - the same goes for all your examples. Yes, security-through-obscurity is more often cited in the example of "but my port wasn't 8080!", but I mention that here because the claim that teams of for-profit hackers will most likely not be targeting your system.

Sure, that might be the case - but that shouldn't set your mind at ease when it comes to security. Chances are you're going to be using an off-the-shelf or open so

You do know that whatever email solution you choose, unless you use full encryption in all your email messages, outbound and inbound (good luck with that) it's still pretty much in the open, and anyone who knows what they're doing in the intermittant path, especially your internet provider, can intercept and read (parts of) those emails?
At least google has proven their worth with standing up to the US gov't in stead of just bending over and giving them all plus some extra as some others have.

One wonders why it has to be so public though. You can easily set up secure login and data transfer to your own servers. I would wonder why email servers wouldn't be able to set up secure services for sending mail between them. Sure at one time encryption may have been too much extra work, but now it seems like it would be quite advantageous without having too much extra load on the systems. It would be really nice if you could request a message to be sent using encryption between your mail host and the

Uh, look at the headers in one of your mesages. Nowadays, most mail transport agents ("email servers") will use encrypted channels for talking to each other. In a typical 2011 setup, there will be an encrypted connection between the sender's mail user agent and his mail relay, then an encrypted connection between that one and the destination user's mail transport agent, then an encrypted connection between the destination's imap server and his mail user agent.

There is, it's called TLS (which is the same technology that modern SSL uses, so the same encryption used by https) and is implemented by STARTTLS. It establishes a secure connection between two email servers and sends the email off secure between them and it suffers from the following pitfalls:

1. It only encrypts the data stream between two email servers that support it, or between the email server and client.2. The email is still decrypted and stored plaintext in the queue of any given email server, and

If you're running the SMTP server on your machine, and set it up to accept encrypted SMTP, most SMTP MTAs systems will encrypt mail to you and your ISP won't have access to it. The real issue is getting other people to accept SMTP from you, as opposed to deciding that any home internet connection that tries to send mail is a spam botnet zombie.

And gmail may not be proactively handing the Feds everything they want on a whim, but if the Feds hand them a subpoena and a "don't tell the customer" order, they'l

My university just moved off Zimbra to Google Apps and most folks I know couldn't be happier.

Zimbra had an annoying, Hotmail-esque interface and was missing many of Gmail's innovative labs features.

It also had the disadvantage of, well, not being Gmail -- meaning the vast majority of folks I know use Gmail for their personal accounts, data security be damned, and thus having the same interface was a huge plus.

Are you absolutely sure you need to do this (as opposed to, say, regular automated exports from Goo

Google has proven they can no longer be trusted. People have had their accounts suspended for "name violations" and other perceived ToS violations that have led to loss of access to Gmail. They CLAIM to have fixed the issues, but then I see more people suspended. Also, their appeal process is inefficient and unreliable (I know one person waiting over two weeks now and their account still isn't fixed)

I'm also a big Roundcube fan, and use it on several sites. The nice thing about it is that you can just point it at an IMAP server, and it uses the IMAP server for authentication. It's quite easy to set up, and the GUI is a lot nicer than other competitors, like SquirrelMail.

Zimbra is nice too, but seems to lock you into a full stack of software. (There have been promises of a stand-alone version, but I've never been able to find it.) That might be the right answer for the original poster, but I found it to

As a guy who ran email servers for a small organization, let me say enjoy it while you can, because email admin is a never-ending pain in the butt. The spam management, the 24x7x365 server monitoring for security issues, the blacklisting and DNS issues, and that people get really bitchy when their email service is disturbed in any way.

Spot on. I ran my own full mail server for a while. It got old very fast. You really need at least two servers for fail-over and simply the ability to down one while you update the other. (And those two should be geographically separated so power outages don't take out both, etc.) *blech* So in the end what I've done is just have simple pop accounts, and then use fetchmail to pop the mail down to my own IMAP server. If my server goes down, I don't care, the mail just spools up at the ISPs (yes, multipl

Spot on. I ran my own full mail server for a while. It got old very fast. You really need at least two servers for fail-over and simply the ability to down one while you update the other.

No, you don't. If you are running a mail server just for yourself, you know it is going to be down, and you are probably trying to get it up again instead of reading mail. Other MTAs are required to hold on to mail they can't deliver for up to three days. If they don't, you probably didn't want that mail anyway.

You really need at least two servers for fail-over and simply the ability to down one while you update the other. (And those two should be geographically separated so power outages don't take out both, etc.)

Honestly, why would you go to that extreme for your own personal email? Do you have that level of redundancy for other pieces of equipment, like your car?

As a guy who ran email servers for a small organization, let me say enjoy it while you can, because email admin is a never-ending pain in the butt. The spam management, the 24x7x365 server monitoring for security issues, the blacklisting and DNS issues, and that people get really bitchy when their email service is disturbed in any way.

I also manage such things. I don't know why you say it's a never-ending pain because that's just not my experience. I use BIND, Postfix+Postgrey, DNSBLs, Spamassassin, ClamAV, SPF, Cyrus, Roundcube, and Nagios monitoring everything. Every now and then I get someone panicking because he hasn't got mail for 4 hours, and every now and then I have to investigate where a specific mail went wrong. Every 2 years or so I rebuild the systems on a newer distro and in the mean time I apply updates as needed. I have learn/spam and learn/ham folders that all users can dump spam and ham in and spamassassin is trained from those. It is work to look after these things but I would not call it a never ending pain in the butt. Most of the time it just works.

I totally agree about people getting bitchy when their email is disrupted in any way. I did have to go to work on xmas day once to reboot a crashed mail server. Guess it serves me right for using an old dell server for a critical service.

You don't understand why it's a never-ending pain while you're detailing how you have to do all of that stuff, which sounds like a full-time job? Look, if you're a sys admin, then it's not a never-ending pain; it's your job. But if it's not your job, it's a never-ending pain.

For many other people, email is mission critical. If you lose your email or lose connectivity for a bit, you're fucked. So yes, you can go through all that effort to run your server on a Dell and risk losing all your data, but it's not

I've hosted my own email for the past 15 years, and I simply don't see the problem you're describing at all. Spam is well handled by spamassassin. I've never had blacklisting or DNS issues. With just YOU controlling everything, and not multiple people, the change management problems are minimal. If you choose software with a proven track record, then the security problems become minimal. Install all your software from a linux distribution with multi-year support, turn on auto-updates, and the security problems mostly go away from all but the most dedicated and skilled attackers. You're a lot less juicy of a target than say Google, so the skilled attackers don't really care about you anyway. If it's just YOUR email, then the people getting bitchy is just you. I'd never host email for someone else. The only real issues are when the internet connection is down. Even then, you can get to any old mail, but new mail obviously doesn't come in. Even that you could fix with a low priority mx record pointed to a gmail account.

The one thing I would caution is you need to know what the hell you're doing. The OP said he was "a hobbiest and not a system admin". Well, if you want to host your own email, you'll soon learn the skills to be a real system administrator, (or give up and go back to hosting).

I agree completely. I started hosting my own e-mail server when I was in college (~6 years ago now), and I've been running it ever since. I did a lot of learning as I went along, and the setup has been about as stable as you can possibly expect it to be running over a home connection. Just in case though, I threw in a VM from Linode earlier this year (initially acting as my primary MX and forwarding to my home server, but now acting only as my backup MX), which brings the reliability up to a pretty good sta

Ooh I'm jumping on this thread! I had a static IP and ran my own E-Mail server for years and it is a huge pain in the ass. Every time you think you've killed the spammers, another one gets through. Constantly having to worry that your set-up is secure is also a huge pain in the ass. Even finding a mail client that doesn't completely suck is a huge pain in the ass.

I switched to google a few years ago and even though I'm not completely happy with them, the ass-pain factor is so much lower that I really don'

... and I can safely write that there is no way you will ever achieve anything comparable to gmail.

You can try:- squirrelmail, ugly and so last century- openwebmail, old-fashioned Perl webmail, not maintained any longer- zimbra mail, lots of functionalities and fancy features- roundcube, decent but nowhere near what you're hoping for

Spam control on the server side is going to be an issue. You will have to use a combination of solutions (e.g. custom sendmail configs, RBL/XBL blacklists, spamassassin, greylis

I've run Zimbra for 3 years now, back to 5.0.9, which I installed for my then employer. The architectural people there have taken, right along, an attitude that I can characterize only as "RFCs? Who cares about those?"

It doesn't handle fixed-pitch well; its editor won't re-wrap (though they might have finally fixed that in 7), it doesn't uknow from RFC 2369 -- in fact, it handles mailing lists poorly in general; notably, you can't change the Reply-To in any way when replying, if you generally want HTML off (as I do), the only way to turn it on is to dive into the Preferences and switch it, then reload; same turning off...

Check for bugs filed on their bugzilla by jra@baylink.com if you want a full list of the ignominy. But in general, I would say: evaluate it pretty thoroughly to see if you can deal with its crap before deploying.

Same here. I had an online agenda, mail, address book and all that running from my dsl box. Things were fine. Now I am full 100% Google. There is no way anyone is going to approach this level of polish with a 10 foot pole with open source stuff. You can get things done, sure, but it's going to take a heck of a lot of time and the result will be nothing compared to Google. But your data is yours. Can't beat that.

I've had my own self-hosted email for years. Every so often I wonder if it would make sense to "outsource" it all.

Then there was this rash of accounts being hacked on sites like Yahoo and that entirely cured me of any interest in depending on anyone else for this. I may not be the best mail admin out there but at least I don't have a target painted on my forehead. Whatever headache I have from being my own server admin is mitigated by not needing to explain myself to clueless rubes that think I've started s

Well, and that is understandable. That is also why I continue with a couple of domains and use google applications (though I do the web hosting on rackspace at this time). But, I used to enjoy doing my own server, etc. however, I have decided that I want a family and to focus on start-ups.

BTW, at some point, I will probably use fetchmail or some other daemon to copy our emails just to have local backups. But I will continue to use gmail to send. They handle too many things nicely and easily.
As to their looking into my mail, well, yeah, they do. So does microsoft, apple, yahoo, etc. And when you send your email, even the backbone servers watch and record. But if security is a real issue, then simply encrypt it and that way only those on the commercial server will not know what you sent.

And that will be your undoing. As an admin you should feel like it, always. Because you are responsible for security. If you think small sites don't get hacked, then where are the spam relays coming from? A crapload of them are small MX'es hacked....

It was great when it started out. It handles multiple domains. Handled spam well. Ran on a low end PC. Handled email for my family and a couple of friends.

Then it became a fucking pain in the ass to maintain. Mainly the spam filtering started failing, and it was a resource drain. Switched from spamassassin to dspam which improved the situation. But dspam was a fucking chore

Training spamassasin is not that big of a deal really. Just automate a process for feeding it new bits of spam to train the filters. You can do this by just designating a standard place for it to look for new examples.

It's Unix. If there are any "chores" then you probably failed to automate something and the solution is probably not that hard.

I've got the same setup and it is indeed a pain. I find myself having to constantly tweak my blacklists. Part of the problem is that we absolutely can't ever have any false positives, so I subtract points for DKIM and SPF. This would have been a great idea if companies like Yahoo! actually scanned their outbound mail before marking it as valid and hosting providers took faster action against spammers. Hurricane Electric and Rackspace seem to mostly just forward the abuse emails on to their customers, wh

The whole beauty of gmail isn't that you get a lot of neat features. It's the fact that your email almost always gets from point a to point b. This is because you have the luxury of being on a "big" mail server. Smaller mail servers, like one that you or I would set up do not get special treatment. The whole system right now is stacked against small mail servers. The minute you hit operation, you'll find that you might already be on spam lists, and that you have to fight to get yourself off of them. The minute you find that you're off the lists, you'll probably end up back on them because someone three ip addresses away has been sending welcome emails from his web site, and someone forgot that they asked for one.

If none of that scares you, the following list will get you close to what gmail can do.

So here is what you need first and foremost:

1. A dedicated server just for Zimbra with Domain Keys installed2. A block of 24-32 ip numbers. (49 ip numbers would be ideal, but it's harder to buy odd blocks like that.) Put your mail server as close to the middle of that range as possible. It sounds like a lot, but most collocation facilities can hook you up with this for 300-500 usd a month.3. Proactive attention to getting your ip block removed from all spam lists (especially Barracuda, their list is the most annoying for the high number of false positives) before the fact. Just let them know you exist.4. Pray that all of the hundreds of moving pieces you've just put in place don't break, that bad hackers don't brute force their way into your server. Strong passwords don't really help as much as people tell you they do either. That's now something you have to worry about too.

So there you go.It doesn't make sense to me that you would try to do this for something that only you would use.The expense is too high, and the benefit just isn't there.

Over the last few years, I've been offloading my email to the social networks and blogs. Facebook, Linked In, personal Drupal installations, Twitter, etc.

They don't have a lot of the core problems that email has, and pretty much everyone I communicate with will use one or multiples of those.

For everything else, I use Gmail for domains because, even if I end up upgrading and paying per account... it's still less of a headache than the Dante inspired hell that is managing my own email server.

The minute you hit operation, you'll find that you might already be on spam lists, and that you have to fight to get yourself off of them. The minute you find that you're off the lists, you'll probably end up back on them because someone three ip addresses away has been sending welcome emails from his web site, and someone forgot that they asked for one.

It's partially a matter of what you want to deal with, and how comfortable you are with making some issues somebody else's problem. Set up your own system.

Remember, telling a friend, relative, or business "*Your* system is rejecting my RFC-complaint emails. *You* should look into fixing that if you want to hear from me." is perfectly acceptable, even though a business telling you exactly the same thing isn't.

I don't know who your friends or relatives are, but if anyone told me that, I'd personally put them on my ignore list, as I have way too many things to do, and have about 0 control with any of my email "systems".

This kind of message is similar to "your government is not accepting my packages, *you* should look into fixing that if you want my deliveries"... it may be valid, but good luck with getting any meaningful response on that.

Every time I let myself get roped into managing an email server, it's Barracuda that I always have the most trouble with.

They're unresponsive, slow, and mean. The reason it's a problem is because of the high number of Barracuda firewalls that are out there at the moment. Companies large and small use them. Barracuda firewalls are evil. Pure evil. They serve no productive purpose, and have features that when enabled cost companies millions of dollars in lost productivity. They cover the whole spectrum of web

The previous "why" poster has it right. It's like you're complaining about success. You are never going to do it 50 percent as well as Google. -- don't try. Rolling your own is an academic exercise. Zimbra is ok-- if you can live in the 90s. Google is it. Just backup your data.

I know this isn't what your question is, and I respect your reasons (even though I don't understand them), but I think you'll find that most admins are going in the other direction. Email is something that should just work. When you host it yourself, you have to worry about a ton of factors... spam, incoming, outgoing, forwarding, being sure your mail isn't getting filtered by recipients' services (which requires a surprising amount of work from the default installations of most self-host services, though t

1. You rent a Linux host, point a domain name to it, and set up your own email accounts on that domain by means of installing the relevant email software stack like IMAP/POP3 service etc. You host - your rules - you can set up your own spam filters, rules, actually you can do so much my rambling cannot even cover half of it. You certainly can install some form of web interface to access your mail on it.

2. You do the same as above, but instead of renting, you just set up a

Kerio Connect is based on a lot of open-source technologies, and they do contribute back - but it is in itself a commercial product. For a small number of users, though, it's still a good value for those looking to DIY.

(disclaimer: Though I'm a user of it, I'm also a fairly large reseller by Kerio standards and my business gets a lot of our revenue from it)

The minus of Kerio is that it's commercial software and therefore not roll-your-own in nature. Limited tinkering is available. And to get updates after y

Kerio Connect [kerio.com]. Can be free if you become a partner and have less than 5 users or $540 which is still a great deal IMO due to the ease of administration and being able to set it up in mere minutes with very little effort. You very well could spend many times this in effort trying to do it yourself with a free product.

I guarantee you that any self-hosted system will have more downtime, and more overall management time than just sticking with Google or another provider.

I wouldn't put the e-mail server and the Web/database server on the same machine. In fact, if you're going to do this right, you probably want a mail server in a datacenter that does nothing but receive the incoming mail and hold it back in case your local e-mail server is down. And once you've done that, you might as well be using a

Outlook Web App, at least as of Exchange 2007, sucked. 2010 is probably better, but IMO Outlook is still the main method of access that Microsoft is concerned with. The other issue with Exchange is typically poor anti-spam/anti-etc, at least built in. If you're willing to run your mail through another anti-spam service first... then you're ok.

1) Install Linux2) Put all the software on it3) Be happy with yourself for mail actually working4) Get blocked by your friends email hosts because they have no idea who the hell your server is5) Learn about reverse dns, all the fucking host entries that you have to add so that you don't get automagically blocked by half the populated world6) Some asshole user sends email with no subject and an executable attachment, it comes back to them bounced and they scream at you.7) Same asshole user bitches and moans 3 times a day about how much spam they get and what a piece of shit your server is

This ends up with the following consequences:

1) Give up your life as an actual person. You're now a mail server admin2) You stop giving a shit about said asshole user.3) You start to second guess your decision to run your own mail server after somebody exploits something (weak password from asshole customer?) and sends half a million spam messages, and 2/3 of them bounce back at you.4) You start growing pale and have hideous dark bags under your eyes5) You're "that guy" in your apartment complex ("he never leaves!")6) Eventually you miss your life, the outside world, and what is left of your sanity.7) You start prioritizing your life and you finally give up and.....go back to Gmail.

It's ironic for me that you should post this on the day after I just abandoned my last home-maintained mail server in favour of Google.For the past 15 years I've been a mail administrator in some capacity for a variety of mail systems ranging from my own personal colo to a vast multi-national corporation. Solving the technical problems of building and maintaining a functional and reliable system was fun for a number of years, especially when email was dominated by geeks. But nowadays, running your own server is a perpetual nightmare.

First, there's the problem of where to host it. It has to be accessible wherever you are, and it has to be able to send mail out. If you're planning on hosting it at home, on the end of a cable/DSL/fios connection, bear in mind that your IP address will almost certainly be blackhole listed. Also, your ISP may well be blocking outgoing mail to prevent spam. You will probably have to configure your system to route all out going mail via your ISP's SMTP server. Why are you hosting an SMTP server again?If you're hosting it in a nice VM or in a colo, you're better off, but paying. Google costs you nothing.Next, storage. Obviously that's no problem because you have a mirrored RAID eleventy-five array you built yourself. If that's in the colo then you can forget about it - except when a drive goes bad or it crashes unexpectedly. But then it's fine because you're paying for support aren't you. And backups. You are backing it up aren't you?Next the server software. Personally I've had a lot of success with Sendmail/Cyrus IMAP/IMSP/Squirrelmail and friends, despite enduring jeers from other sysadmins who think they have a better combination. In the end, it doesn't matter. They all suck. They all need patching regularly. They all break. They all need tweaking on a regular basis.Then the final turd in the swimming-pool: spam. It costs you so, so much; bandwidth, around 95% of all of the inbound traffic is spam; time, configuring and maintaining spamassassin and various blackhole lists that occasionally start rejecting mail indescriminately; pride, the only time your clients contact you will be to ask why the mail is so slow and why there's so much spam. "But my gmail doesn't get this much spam - can't you filter it" they say, while you bite chunks out of your tongue. Spam to a mail administrator is like the gopher in Caddyshack: it will keep you awake and turn you into a monster. And the day will come where you, spam-slayer and junk-mail terminator, get put on a blackhole list for being a spammer. That's really fucking harsh the first time.

I could go on. but we're already in the TL;DR territory.

Most people do not host their own mail server. They live longer and healthier lives as a result. Follow their example and let Google worry about all of that for you - and in return you just have to pay them...nothing.

Personally I've had a lot of success with Sendmail/Cyrus IMAP/IMSP/Squirrelmail and friends, despite enduring jeers from other sysadmins who think they have a better combination. In the end, it doesn't matter. They all suck. They all need patching regularly. They all break. They all need tweaking on a regular basis.

This! Even on the software side of things, it's constant fiddling and tinkering. I spent about 7 or 8 years administrating qmail and postfix. If it wasn't Spamassassin or the anti-virus going haywire, there would be some other issue. Some braindead mope setting his password to something ridiculous resulting in a flurry of spam sent out a week later, some guy infecting his laptop with something nasty and sending out a fuckton of spam... A bug in all the shit that glues qmail, spamassassin and the anti-virus together that generates a veritable shitstorm of bounce messages to yourself, resulting in more bounce messages to yourself until finally the queue is stuffed with bounce messages...

Of course, nothing would be complete without the mail queue going corrupt. And once that happens you know you'll be making a tarball of that sucker and cleaning it as fast as possible to get it back online. After that you get do something fun, that's digging through the mailqueue with some obscure shell script from some guy who actually had this very rare thing happen to him too that one time, only with just a small difference, so it won't work out of the box of course. Oh, don't worry, at times like these there will be absolutely nobody breathing down your neck, especially not the person who told you to go F*** yourself when you suggested that it might be a good idea to not be so dependent on a single mail server.

Then the final turd in the swimming-pool: spam.

And the problem with spam is : once you've mitigated the issue you just KNOW that by this time next month you'll be at it again and again and... And then there's the problem of false positives. If someone so much as suspects having a false positive there's hell to pay. "You marked this as spam but this is an actual e-mail". Not "The mailserver marked this as..." but YOU.

Oh, don't worry, the foam you have at the mouth that day can be reused in meetings about why the mailserver was rejecting all incoming e-mails.

the only time your clients contact you will be to ask why the mail is so slow and why there's so much spam

Or why they can't send out an attachment of 4GB, why their mailbox is full, why their mail from russianbrides.com isn't coming through,... Oh don't worry, deep down you know by the sheer volume of mail you handle daily your users love you.

put on a blackhole list for being a spammer. That's really fucking harsh the first time.

That was the breaking point for me. I simply gave the mailserver an IP in a range that wasn't blacklisted and started looking for a new job. On my way out I congratulated the guy who was promoted to the new mail admin and whistled a merry tune as I shut the door behind me. I vowed never to touch mailservers again in my life and became a better person because of it.

Take this advice and heed it well : Unless you have a REALLY good reason to do your own e-mail, just fucking don't. I'm sure that a lot of people are going to say "Run qmail", "Run postfix" or "Run sendmail" or whatever and point you towards a lot of incredible HOWTOs, but the truth is that's just the beginning of it, and it will slowly devour more and more of your time until one day somewhere between 10PM and 1AM you're upgrading some part of the mailserver again and wondering to yourself : "What happened? I used to do so many cool and interesting things..."

If you don't want to deal with Google, find a reliable company you want to deal with and have them do it for you. Running a decent mailserver is just a pain in the ass.

I have been doing it for years and it is not that big a deal once it is configured.If you want to get fancy then it can be a problem.We run courier (I wanted sendmail but lost ) using imap to our local net.it runs on a local virtual machine and is pretty much maintenance free.It can not be accessed from outside (the "fancy" part) and it has no spam filtering.The jewel in this is the alias file. Untrustworthy sites (most) get a specific alias.If I get spam with that I delete the alias.

I've got my own domain and hosting. I use that to manage all my email addresses and then forward them to Gmail. When I send an email in Gmail, it authenticates and sends it via the email address of my choice. This means that I get the benefit of google's interface, labels, spam filter etc without my email address belonging to them. Effectively, I can get the good stuff now and should they pick up the ball and go home I still have what I really need (access to the addresses people are using).

Even before opening this article I knew it would be overflowing with cries to drop this self-dependency stupidity and just surrender to the corporate gods.

What the fuck?

What is the purpose of free software if you are not supposed to use your freedom? You can build your system using open standards, install an open source OS with an open source mail server. But you will get blocked because you are not a business? More over, what is the purpose of freedom when you are not supposed to exercise it? It really has come to the point where "freedom" means "freedom to work for the system".

It should not be like this, it doesn't have to be like this. There's plenty of solutions, something like WoT can be build to prevent spam much better than a simple "block everything not from gmail yahoo or hotmail" that's just business whoring.

The guy is "a hobbyist, not a sysadmin" and is looking for a self-hosted alternative webmail. The thing is, unlike a lot of other parts of life, mail hosting is basically a sewer of pain. Potholes and pitfalls are absolutely everywhere. To make a bad analogy, the guy basically posted "I'd like to be more independent. So I've decided to learn to fix my car, start growing some vegetables in my backyard. And, oh yes, have a baby. Are babies hard?" All of those are valid goals, that people everywhere should aspire to. But, as the germans say, he needs to be aware of the commitment and Kindersheisse of maintaining a mail server.

And I've been on both sides of the "black-hole everyone's mail" problem. If a server is sending out spam, a single server can easily be sending out hundreds of pieces of spam to each and every one of your users per day. Chances are, that "server" is a hacked Windows XP box someone in their IP block left online (there really aren't anything other than hacked Windows XP boxes online these days). Or a server with inadequate protections that is being maliciously harnessed. Or someone put the address into a blacklist wrong. Either way, without these blacklists e-mail service as we know it would be over. And, unfortunately, there are people profiting from spam, fighting every bit as hard as the legitimate users to get off of the blacklists.

And that's without taking into account the basic technological issues, like needing redundancy and response significantly higher than take-it-or-leave-it services. If your docs server is down, you have to wait a bit to access your documentation. If your mail server is down for long enough, you lose all of those messages. Also, all of your clients get messages that your system is down, but you don't. You get hit constantly by volumes of spam, leading to waves of DDOSing. People don't back any mail up, but require it to be available forever. And, this may just be personal perception, but I swear that all mail servers are coded to be suicidal.

So yes, the effort put out to host one's own mail server is disproportional to the payoff in terms of personal information security. Because it's not building a server. It's committing to hosting an ongoing part of the mail ecosystem.

Speaking as a hobbyist here, I have done what you're asking about for the last eight years and I have very close to zero problems, however there was some ground work that had to be laid. Oh, disclaimer, I'm also a sys admin for a major hosting company (I won't tell you who) so my definition of "easy" may not match yours.

0) If you're hosting at home, make sure you have an ISP that doesn't suck (i.e. use a local ISP). I use a local ISP that has DSL/FTTC (If you happen to live in an area served by the FTTC) co

Some NAS devices support a complete email server, even if it's not always installed or active by default (usually it's not). We have a Synology NAS, and use its email server [synology.com] to combine local email (for our dyndns "domain") and accounts on a number of external hosts. Since it's on the NAS, useful features such as automated backup to external disk include the email with little extra configuration.

Postfix 2.8.x for the MTA (2.8 has the new postscreen feature which is great to help with SPAM control)Dovecot for IMAP POP3 as well as for SASL AUTHRoudcube or Squirrlmail (take your pick) for webmailPostgreSQL or MySQL for database backendSpamassassin to catch what SPAM is missed by postscreen.ClamAV to scan for virusesAmavisd-new to interface psotfix to spamassassin and clamavPostfixAdmin for managing your domains and accounts from the web.

You have to be blind if you consider Squirrelmail anywhere close to comparable to a modern interface like Gmail. It pretty much embodies the visual style of '90s Perl scripts, and that's certainly not a good thing.

Isn't Squirrel just an interface? He's going to need something a little more than that - Postfix is the thing you need.

Now, having done exactly this for a long time (and having also moved everything over to Gmail for domains) I have a few observations:

- running your own email server gives you a warm inner glow and feeling of independence, but that's about it.- check your logs daily, intrusion attempts happen constantly.- dedicate the box to email only, that is - close down every port you don't need.- don't run anything you don't need on that box.- for the love of god don't run php (which might cut out squirrel mail).- you'll need a set of good spam handlers. There's some good suggestions in posts below.

Personally, if you were really going to do this, I'd get a Mac mini. It comes with everything you need in terms of unix tools by default. It runs low power, it runs quiet. And there's slightly less chance of you getting owned. Always kep your patches up to date.

I eventually moved away from this because I got tired of being a paranoid sys-admin at home. Dealing with uptime issues also made me rethink what I was doing when email started to become critical to my finances - you'd be surprised how unreliable home dsl and power systems are when you really, really need them.

Currently, I have both roundcube and squirrelmail exposing my imap mailboxes. I tend to use roundcube, but other users tend to use squirrelmail. There are some capabilities in squirrelmail not in roundcube.

I hope this doesn't sound too negative, roundcube is pretty good, but I've found it to be somewhat troublesome if you're running it over SSH - accessing it across a slow network, or any network with latency issues (wifi / 3g etc) tends to bog apache down to the point where it (apache) can require a restart. CPU load is pretty high when this happens too. The ajax thing isn't so good for trigger happy mouse clickers either - it often just stops responding, the only thing that gets it running again is a page r

You can always set up a your webmail on a private ip subset, or a whitelist dmz using iptables, where only you can access it. That would at least solve the scanning probing problem. Or a private VPN! Yay! Then you're learning about how vpn's work. Like I said, Dante may have known hell. But he did not know email servers at all. They would have scared the shit out of him.

The open source web mail interfaces are not even close to what gmail does.

On this point I have to disagree. gmaill is highly capable and all, but I actually prefer roundcube's interface over gmail's.

I also disagree that maintaining a mail server competently is that hard for a single domain with maybe a half-dozen users. If you stick to packages provided by a linux distribution, distribution updates will handle most security updates. Many ISPs have blessed relays for your use that alleviates the blacklist problem significantly.

Actually, for $10 a month you can get a Dreamhost account which I find is very reliable. They actually give you 50 GB of backup space to do whatever you want to with, which is completely separate from your web space. They have "unlimited" space and transfer on your http directory, but they frown on using that for backup. Which is why they give you the secondary backup location.

You apparently haven't been using Dreamhost very long, or you haven't been paying much attention. "Reliable" is not the right term for DH. Still, even though they're horribly oversold, I like them enough to keep my account (had it since 2004, when they were already oversold and unreliable, but not quite as bad). The price is right for what it is, and for things that need to be reliable, I use other services.

If you want to run your own mail server you will have a problem, you will need a reverse ip resolution for your domain. Without this, your outgoing mail will be marked as spam, many big companies do so, for example Google. Without this your mail will go directly to spam folder.Good luck with your ISP.

Quite right, forward and reverse DNS should match and a static IP is a must. However setting reverse DNS should not be a problem on any business connection, a dedicated, or a virtual machine. Even some domestic ISPs let you set your reverse DNS.

Basically what I use too, without the webmail components because webmail just isn't that important when you have authenticated SMTP / POP / IMAP using your secure certificates. Buy yourself a VPS with Ubuntu on it and follow the Ubuntu tutorials for those software if you aren't confident doing it (they do exactly all this config we're talking about for you).

I collect all my mail in Opera and if I really wanted something like squirrelmail, I'd make it only available to localhost and SSH/VPN into the server

Webmail's useful if you want to keep all your mail on somebody else's server and not need to install client software on your PC, which is to say that it's really convenient for service providers. But if you're running your own server anyway, how often are you connecting from machines you don't control? You could be using a POP/IMAP client instead, and get a better user interface.

Of course, I'm still using Eudora, because my fingers know all the shortcuts and I don't want to figure out if Thunderbird has m